Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE

Critical Nessus Network Monitor Plugin ID 701078

Synopsis

The version of Atlassian Crowd installed on the remote host is affected by an remote code execution (RCE) vulnerability.

Description

The version of Atlassian Crowd installed on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.

Solution

Update to Crowd version 3.4.4 or later.

See Also

https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html

Plugin Details

Severity: Critical

ID: 701078

Family: CGI

Published: 2019/07/22

Updated: 2019/07/22

Dependencies: 9900

Nessus ID: 125477

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:atlassian:crowd

Patch Publication Date: 2019/05/22

Vulnerability Publication Date: 2019/05/22

Reference Information

CVE: CVE-2019-11580

BID: 108637